Jump to content


Photo

pkiehlp2.dll


  • Please log in to reply
4 replies to this topic

#1 dave_p_1

dave_p_1

    Member

  • New Member
  • Pip
  • 3 posts

Posted 09 June 2004 - 04:22 PM

I'm in the process of cleaning my system (Win2000). I have run current copies of SpyBot S&D and AdAware and found nothing. But recently I learned of Browser Helper Objects. WinPatrol and BHODemon both show the following BHO is running:

PKIEhlpP2.dll

Not only can I not find any reference to it in this forum, it's not on the BHO list, WinPatrol Plus has never heard of it, and, in fact, no search engine I've tried from Google on down can come up with a single web page that mentions it by that name or by its internal name, PKIEhlpr.

While only the one file shows as being loaded, in the same folder there is a file named PKIEhlp1.dll with the same modified date and internal name (also the same size but they don't match at the hex level).

Does anyone have any clue as to what this is? :scratchhead:

BHODemon finds the following information:
CLSID: {FF32A4CE-E54D-11D3-9FB7-E3582B1BD44D}
File Size (bytes): 32768
Time Modified: 2001/9/3 10:47:32
Time Created: 2002/12/31 18:15:12
Drive Number: 2
Comments:
CompanyName:
FileDescription: PKIEhlpr Module
FileVersion: 1, 0, 0, 1
InternalName: PKIEhlpr
LegalCopyright: Copyright 2000
LegalTrademarks:
OLESelfRegister:
OriginalFilename: PKIEhlpr.DLL
PrivateBuild:
ProductName: PKIEhlpr Module
ProductVersion: 1, 0, 0, 1
SpecialBuild:

#2 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 09 June 2004 - 06:19 PM

We need a closer look at what's happening.

Please download Hijack this . Unzip it into its own folder, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, do Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#3 dave_p_1

dave_p_1

    Member

  • New Member
  • Pip
  • 3 posts

Posted 10 June 2004 - 10:32 AM

Thanks for your help. Here is the logfile. Per your instructions, I have not corrected anything yet but I did notice that QuickTime put itself back in and I plan to take it out (again). The one entry I that caused me to post in the first place is:

O2 - BHO: (no name) - {FF32A4CE-E54D-11D3-9FB7-E3582B1BD44D} - C:\WINNT\system32\PKIEHLP2.dll

These are the programs I know should be running (the whole logfile follows):

Hardware specific files include:
Dell/Netropa keyboard (nhksrv.exe, MMKeybd.exe, mmusbkb2.exe, OSD.exe)
Yamaha Sound Card (SxgTkBar.exe)
Kensington Trackball (kmw_run.exe, KMW_SHOW.EXE)
Kanguru Flash Drive encryption (FlashEnc.exe)

Background security includes:
Norton AntiVirus (DefWatch.exe, NALNTSRV.EXE, tvscan.exe
ZoneAlarm (vsmon.exe, zlclient.exe
WinPatrol (WinPatrol.exe)
Spybot S&D (SDHelper.dll)

Other programs running background tasks include:
Adobe Acrobat (AcroIEHelper.dll, AcroIEFavClient.dll)
Novell NetWare (NWTRAY.EXE)
Lotus QuickPlace (qp2.cab)
MS Windows & Office Update (opuc.cab, iuctl.CAB)
MS Project (pjclient.cab)
Shockwave (swflash.cab)

- - -

Logfile of HijackThis v1.97.7
Scan saved at 11:04:39 AM, on 6/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\System32\NALNTSRV.EXE
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SxgTkBar.exe
C:\WINNT\system32\NWTRAY.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\FlashEnc\FlashEnc.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINNT\system32\kmw_run.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINNT\system32\KMW_SHOW.EXE
C:\program files\Mozilla Firefox\firefox.exe
C:\program files\HiJackThis\HijackThis.exe

R1 - (This was the correct proxy setting which I've deleted)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {FF32A4CE-E54D-11D3-9FB7-E3582B1BD44D} - C:\WINNT\system32\PKIEHLP2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [FlashEnc] C:\Program Files\FlashEnc\FlashEnc.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol PLUS] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://134.67.213.96/qp2.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {484A7A26-FDB0-11D0-8D2B-00C04FB92E89} (MS Project Text Conversion Class) - http://161.80.164.16...ts/pjclient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7876.3102893519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#4 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 10 June 2004 - 02:49 PM

The only thing suspicious in your log is the pkiehlpr BHO.

Fix it with Hijack this, and reboot. That should remove it. Ensure that alll Internet Explorer windows are closed before clicking on "fix checked".
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#5 dave_p_1

dave_p_1

    Member

  • New Member
  • Pip
  • 3 posts

Posted 14 June 2004 - 01:02 PM

Thanks for taking a look at the log. I reached the same conclusion.

STILL, have you ever seen that BHO? I've tried all the main search engines and I can't find a reference to "pkiehlp" anywhere on the internet.

Dave




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button